华为防火墙nat端口映射
Posted 害怕网络暴力
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了华为防火墙nat端口映射相关的知识,希望对你有一定的参考价值。
一、拓扑
CE1使用环回口模拟用户,访问内网的CE3 8080端口。防火墙需要做nat server 将2.2.2.2:8080这个地址映射成10.10.10.10:8080,外面的用户才能访问。
二、配置
CE1:
<HUAWEI>sys
Enter system view, return user view with return command.
[~HUAWEI]in g1/0/0
[~HUAWEI-GE1/0/0]undo portswitch
[*HUAWEI-GE1/0/0]undo shutdown
[*HUAWEI-GE1/0/0]ip address 200.0.1.1 30
[*HUAWEI-GE1/0/0]qu
[*HUAWEI]interface LoopBack 0
[*HUAWEI-LoopBack0]ip address 1.1.1.1 32
[*HUAWEI-LoopBack0]qu
[*HUAWEI]ospf 1
[*HUAWEI-ospf-1]area 0
[*HUAWEI-ospf-1-area-0.0.0.0]network 200.0.1.1 0.0.0.0
[*HUAWEI-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0
[*HUAWEI-ospf-1-area-0.0.0.0]qu
[*HUAWEI-ospf-1]qu
[*HUAWEI]command-privilege
[*HUAWEI]commit
CE2
<HUAWEI>sys
Enter system view, return user view with return command.
[~HUAWEI]in g1/0/0
[~HUAWEI-GE1/0/0]undo ports
[~HUAWEI-GE1/0/0]undo portswitch
[*HUAWEI-GE1/0/0]undo shutdown
[*HUAWEI-GE1/0/0]ip address 200.0.1.2 30
[*HUAWEI-GE1/0/0]in g1/0/1
[*HUAWEI-GE1/0/1]undo portswitch
[*HUAWEI-GE1/0/0]undo shutdown
[*HUAWEI-GE1/0/1]ip address 200.0.0.1 30
[*HUAWEI-GE1/0/1]qu
[*HUAWEI]ospf 1
[*HUAWEI-ospf-1]area 0
[*HUAWEI-ospf-1-area-0.0.0.0]network 200.0.1.2 0.0.0.0
[*HUAWEI-ospf-1-area-0.0.0.0]network 200.0.0.1 0.0.0.0
[*HUAWEI-ospf-1-area-0.0.0.0]commit
FW1
[USG6000V1]in g0/0/0
[USG6000V1-GigabitEthernet0/0/0]ip address 200.0.0.2 255.255.255.252
[USG6000V1]in g1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip address 192.168.1.2 255.255.255.252
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name local-untrust
[USG6000V1-policy-security-rule-local-untrust]source-zone local
[USG6000V1-policy-security-rule-local-untrust] destination-zone untrust
[USG6000V1-policy-security-rule-local-untrust]action permit
[USG6000V1-policy-security]rule name untrust-local
[USG6000V1-policy-security-rule-untrust-local]source-zone untrust
[USG6000V1-policy-security-rule-untrust-local]destination-zone local
[USG6000V1-policy-security-rule-untrust-local]action permit
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add interface GigabitEthernet0/0/0
[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add interface g1/0/0
[USG6000V1]nat server protocol tcp global 10.10.10.10 8080 inside 2.2.2.2 8080 n
o-reverse
[USG6000V1]ospf 1
[USG6000V1-ospf-1]default-route-advertise always
[USG6000V1-ospf-1]area 0
[USG6000V1-ospf-1-area-0.0.0.0]network 200.0.0.2 0.0.0.0
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name nat-out
[USG6000V1-policy-security-rule-nat-out]source-zone untrust
[USG6000V1-policy-security-rule-nat-out]destination-zone trust
[USG6000V1-policy-security-rule-nat-out]source-address 1.1.1.1 32
[USG6000V1-policy-security-rule-nat-out]destination-address 2.2.2.2 32
[USG6000V1-policy-security-rule-nat-out]service protocol tcp destination-port 8
080
[USG6000V1-policy-security-rule-nat-out]action permit
[USG6000V1]ip route-static 2.2.2.2 32 192.168.1.1
CE3
<HUAWEI>sys
Enter system view, return user view with return command.
[~HUAWEI]in g1/0/0
[~HUAWEI-GE1/0/0]undo portswitch
[*HUAWEI-GE1/0/0]ip address 192.168.1.1 30
[*HUAWEI-GE1/0/0]undo shutdown
[*HUAWEI-GE1/0/0]qu
[*HUAWEI]ip route-static 0.0.0.0 0 192.168.1.2
[~HUAWEI]dis ip in brief
[~HUAWEI]interface LoopBack 0
[*HUAWEI-LoopBack0]ip address 2.2.2.2 32
[*HUAWEI-LoopBack0]qu
[*HUAWEI]aaa
[*HUAWEI-aaa]local-user huawei password cipher Admin@123
[*HUAWEI-aaa]local-user huawei level 3
[*HUAWEI-aaa]local-user huawei service-type telnet
[*HUAWEI]telnet server port 8080
[~HUAWEI]user-interface vty 0 4
[~HUAWEI-ui-vty0-4]authentication-mode aaa
[*HUAWEI-ui-vty0-4]user privilege level 3
[*HUAWEI-ui-vty0-4]idle-timeout 5
[*HUAWEI-ui-vty0-4]quit
[*HUAWEI]commit
测试:
以上是关于华为防火墙nat端口映射的主要内容,如果未能解决你的问题,请参考以下文章